Publishing Your Plugin

Publishing takes your local build artifact and submits it to the VeloCMS marketplace review queue. The pipeline runs automated checks first — they complete in under 10 minutes — then a human reviewer checks for quality and policy compliance within 1-3 business days.

Pre-publish checklist

Before running velocms publish, make sure these are true. The automated stage will reject you for the first four; the human stage will soft-reject for the rest.

  • Manifest validates against the plugin-v2.json schema
  • All declared capabilities are actually used (no over-declaration)
  • Network access domains match what the code fetches
  • Tests pass (velocms test exits 0)
  • Admin settings panel includes a settings UI for every user-configurable value
  • preview/thumbnail.png exists (400×300, shows the plugin in action)
  • README explains what the plugin does, what credentials it needs, and how to configure it

Build and publish

# Compile
npm run build

# Pack to tarball + validate manifest
velocms build

# Login (first time only — browser OAuth)
velocms login

# Submit draft
velocms publish

Review stages

Automated stages 1-4 run immediately. Stage 5 is human review.

  • Stage 1 — Manifest validation: Schema check. Fails hard on missing required fields or invalid ID format.
  • Stage 2 — Capability audit:Static analysis of the compiled bundle. Flags any API access that isn't declared in the manifest.
  • Stage 3 — Security scan: Pattern-matching for eval(), new Function(), child_process, dynamic requires pointing outside the bundle, and credential logging patterns.
  • Stage 4 — Bundle size check: Plugins must be under 2 MB uncompressed. Bloated bundles slow hook invocation and hurt all tenants.
  • Stage 5 — Human review: Quality, policy compliance, truthful description, no misleading capability claims.

Common rejection reasons

  • Manifest ID doesn't follow reverse domain notation
  • Capabilities declared but not used (or used but not declared)
  • No tests submitted with the bundle
  • Description doesn't match what the plugin actually does
  • Missing permissions_displayed_to_user — tenants need to understand the consent
  • API key logged in plain text in error paths
  • Over-broad network access declaration (entire TLD instead of specific hostname)

Setting up paid pricing

If you want to charge for your plugin, add pricing to the manifest and connect a Stripe account via the developer portal at /developers/stripe-connect. VeloCMS handles the checkout; you receive 80% of every sale via Stripe Connect Express payouts.

{
  "pricing": {
    "model": "paid",
    "price_usd": 999,
    "stripe_price_id": "price_1..."
  }
}